Disabling SSLv3 but still supporting SSLv2Hello in Apache

java apache-2.2 poodle

Solution 1:

Apparently mod_ssl has changed in the last year or so (I haven't found the exact commit to the source, but found the "problem"). The source now does this:

If SSLProtocol only includes only one Protocol:
    Handshake = That Protocol's Handshake Only
Else
    Handshake = SSLv2 Handshake

There's no override for this setting. The only thing you could do is edit the source, recompile your own version. I've created a diff to force SSLv2 Handshake compatibility if you want to compile your own.

Solution 2:

So it turns out this was a non-issue all along. Apache will accept SSLv2 handshake with either of the configurations I posted above. I was misled by a handshake error into thinking this was the issue; it was really just a configuration issue where the server wasn't trusting the client's CA.

Related

Can't use long path names in Windows 2016
Small Business Network Switches/General network configuration
Microsoft Windows equivalent to LXC
Whats the average lifespan of a server?
How can I reject base64 encoded spam email?
Executing Javascript from Python
How to get the caller class in Java [duplicate]
jquery-ui and webpack, how to manage it into module?
Is it possible to use Razor View Engine outside asp.net
Open a link in browser with java button? [duplicate]
Why do stacks typically grow downwards?
What does it mean when one civilization "denounces" another?